fscrypt.git/crypto/crypto_test.go, branch 0.1.0 Go tool for managing Linux filesystem encryption Finalize import paths and documentation 2017-06-28T22:15:21+00:00 Joe Richey joerichey@google.com joerichey@google.com 2017-06-28T20:57:55+00:00 2c52eca8727df744d093703bbcbd87fc39d57d30 This commit changes all the internal import paths from `fscrypt/foo` to `github.com/google/fscrypt/foo` so that it can be built once we release externaly. The documentation in README.md is updated accordingly. Also, the README has a note noting that we do not make any guarantees about project stability before 1.0 (when it ships with Ubuntu). Change-Id: I6ba86e442c74057c8a06ba32a42e17f94833e280 
This commit changes all the internal import paths from `fscrypt/foo` to
`github.com/google/fscrypt/foo` so that it can be built once we release
externaly. The documentation in README.md is updated accordingly.

Also, the README has a note noting that we do not make any guarantees
about project stability before 1.0 (when it ships with Ubuntu).

Change-Id: I6ba86e442c74057c8a06ba32a42e17f94833e280
actions: Simplify the callback mechanism 2017-06-26T22:40:08+00:00 Joe Richey joerichey@google.com joerichey@google.com 2017-06-01T00:54:35+00:00 defd27f75df3a6eef84ac33adf89b1ce255e738c This commit makes the callbacks for getting keys easier to understand. Functions which need keys now take a KeyFunc callback. This callback contains a ProtectorInfo parameter (basically a read-only version of metadata.ProtectorData) and a boolean which indicates if the call is being retried. The documentation is also updated to say which functions will retry the KeyFunc. For selecting a protector, there is now an OptionFunc callback which takes a slice of ProtectorOptions. A ProtectorOption is a ProtectorInfo along with additional information about a linked filesystem (if applicable). This commit also adds in methods for getting the protector options for a specific filesystem or policy. It also adds a function for getting the policy descriptor for a specific path. Change-Id: I41e0d94ffd44e7166b0c5cf1b5d18437960bdf90 
This commit makes the callbacks for getting keys easier to understand.
Functions which need keys now take a KeyFunc callback. This callback
contains a ProtectorInfo parameter (basically a read-only version of
metadata.ProtectorData) and a boolean which indicates if the call is
being retried. The documentation is also updated to say which functions
will retry the KeyFunc.

For selecting a protector, there is now an OptionFunc callback which
takes a slice of ProtectorOptions. A ProtectorOption is a ProtectorInfo
along with additional information about a linked filesystem (if
applicable).

This commit also adds in methods for getting the protector options for a
specific filesystem or policy. It also adds a function for getting the
policy descriptor for a specific path.

Change-Id: I41e0d94ffd44e7166b0c5cf1b5d18437960bdf90
crypto: add in additional keyring functionality 2017-06-16T05:32:35+00:00 Joe Richey joerichey@google.com joerichey@google.com 2017-06-08T17:51:04+00:00 ea3e258610340de0dd585c221f4e18a199f16bca This commit adds in the FindPolicyKey and RemovePolicyKey functions to complement the InsertPolicyKey function. The existing functions were also refactored slightly. Change-Id: Iabd275f2186a9e3023d5efd44c772966123e3657 
This commit adds in the FindPolicyKey and RemovePolicyKey functions to
complement the InsertPolicyKey function. The existing functions were
also refactored slightly.

Change-Id: Iabd275f2186a9e3023d5efd44c772966123e3657
crypto: tests, errors, and descriptor computation 2017-05-31T19:37:35+00:00 Joe Richey joerichey@google.com joerichey@google.com 2017-05-24T01:41:36+00:00 bc66b8a56ee7ae4f703cf30502aff8b7d68953d0 This changes the crypto package so it now builds in light of the changes to the util and metadata package. This commit also improves the error handling, adds tests, and makes it so recovery keys now correspond to Policy keys (as they are used to recover a directory in the absence of any metadata). The only feature addition here is the ability to compute descriptors. For backwards compatibility, we keep the same descriptor algorithm used before (double SHA512). Change-Id: Ia2b53c6e85ce65c57595e6823d3c4c92219bc8dc 
This changes the crypto package so it now builds in light of the changes
to the util and metadata package. This commit also improves the error
handling, adds tests, and makes it so recovery keys now correspond to
Policy keys (as they are used to recover a directory in the absence of
any metadata).

The only feature addition here is the ability to compute descriptors.
For backwards compatibility, we keep the same descriptor algorithm used
before (double SHA512).

Change-Id: Ia2b53c6e85ce65c57595e6823d3c4c92219bc8dc
crypto: passphrase hashing with Argon2 2017-05-02T20:39:18+00:00 Joe Richey joerichey@google.com 2017-03-03T01:32:50+00:00 3f9c09b1e0901248c96c47e392a2888c40b2f182 This commit adds in the PassphraseHash function which hashes the provided passphrase (in key form) using Argon2id. This cost parameters for Argon2id and that salt are both fed into the function. It also includes tests and benchmarks for the passphrase hashing. Change-Id: I060db3e71213c756d45ce5603a0a59d3d7a1e609 
This commit adds in the PassphraseHash function which hashes the
provided passphrase (in key form) using Argon2id. This cost parameters
for Argon2id and that salt are both fed into the function. It also
includes tests and benchmarks for the passphrase hashing.

Change-Id: I060db3e71213c756d45ce5603a0a59d3d7a1e609
crypto: reading and writing recovery keys 2017-05-02T20:39:18+00:00 Joe Richey joerichey@google.com 2017-03-02T22:01:20+00:00 ee10adc91e79bca395a6b069797a99863fc957dd This commit adds in the concept of recovery codes: human-readable strings that contain the necessary information to rederive a cryptographic key. These keys look like: 73PZBXVP-DKJX7SKV-NNTFIC7A-QEGRPZUX-4K5ORRH2-MTKMKP3B-HFCA==== They are input or output directly to a io.Reader or io.Writer respectively. This prevents the data from passing through unsecured memory before it gets to its destination. Of course, if the provided io.Reader or io.Writer is insecure, there is nothing we can do. In most cases the provided io.Reader or io.Writer will be stdin or stdout. In some rare cases you might want to pipe the output to another key. This commit also adds tests and benchmarks for encoding/decoding recovery codes. It also tests that encoding/decoding will fail in the correct situations. A benchmark is also added to measure the effect of locking the keys in memory. Change-Id: Ifa0bc4c08582789785cf1cdd9a4acfe76c79534f 
This commit adds in the concept of recovery codes: human-readable
strings that contain the necessary information to rederive a
cryptographic key. These keys look like:
	73PZBXVP-DKJX7SKV-NNTFIC7A-QEGRPZUX-4K5ORRH2-MTKMKP3B-HFCA====

They are input or output directly to a io.Reader or io.Writer
respectively. This prevents the data from passing through unsecured
memory before it gets to its destination. Of course, if the provided
io.Reader or io.Writer is insecure, there is nothing we can do. In most
cases the provided io.Reader or io.Writer will be stdin or stdout. In
some rare cases you might want to pipe the output to another key.

This commit also adds tests and benchmarks for encoding/decoding
recovery codes. It also tests that encoding/decoding will fail in the
correct situations. A benchmark is also added to measure the effect of
locking the keys in memory.

Change-Id: Ifa0bc4c08582789785cf1cdd9a4acfe76c79534f
crypto: secure key wrapping/unwrapping 2017-05-02T20:39:18+00:00 Joe Richey joerichey@google.com 2017-03-02T19:58:07+00:00 8128b35375dfc4846dd1573dda55ef232ffd2d66 This commit adds in the ability to use the WrappedKeyData from the metadata package to wrap and unwrap cryptographic keys of any length. This makes use of several cryptographic primitives: - Unsalted, SHA256-based HKDF for key stretching - AES256 in CTR mode for encryption - SHA256-based HMAC for authentication Note that the key wrapping/unwrapping uses an "Encrypt then MAC" scheme for doing authenticated unwrapping. This means we can detect if bogus metadata has been given. This package also standardizes the length for fscrypt's internal keys. This CL is the first to add benchmarks, which can be run with: go test -bench=. ./... Change-Id: I2e5fc23a8a8cc36b17ccb3f26f03edcaccc517e1 
This commit adds in the ability to use the WrappedKeyData from the
metadata package to wrap and unwrap cryptographic keys of any length.
This makes use of several cryptographic primitives:
	- Unsalted, SHA256-based HKDF for key stretching
	- AES256 in CTR mode for encryption
	- SHA256-based HMAC for authentication

Note that the key wrapping/unwrapping uses an "Encrypt then MAC" scheme
for doing authenticated unwrapping. This means we can detect if bogus
metadata has been given. This package also standardizes the length for
fscrypt's internal keys.

This CL is the first to add benchmarks, which can be run with:
	go test -bench=. ./...

Change-Id: I2e5fc23a8a8cc36b17ccb3f26f03edcaccc517e1
crypto: add secure random reader using getrandom 2017-05-02T20:39:18+00:00 Joe Richey joerichey@google.com 2017-03-02T19:58:07+00:00 49b3026574ab692cfabcabe90751b163a76df31b This commit adds in RandReader, a cryptographically secure io.Reader that will fail when the os has insufficient randomness. This is done using the getrandom() syscall in non-blocking mode. see: http://man7.org/linux/man-pages/man2/getrandom.2.html Any kernel new enough to have filesystem encryption will also have this syscall. This RandReader is preferable to the one provided by the standard library in crypto/rand. See the bugs: https://github.com/golang/go/issues/11833 https://github.com/golang/go/issues/19274 This will be removed when go updates the crypto/rand implementation. Change-Id: Icccaf07bc6011b95cd31a5c268e7486807dcffe2 
This commit adds in RandReader, a cryptographically secure io.Reader
that will fail when the os has insufficient randomness. This is done
using the getrandom() syscall in non-blocking mode.
  see: http://man7.org/linux/man-pages/man2/getrandom.2.html
Any kernel new enough to have filesystem encryption will also have this
syscall.

This RandReader is preferable to the one provided by the standard
library in crypto/rand. See the bugs:
	https://github.com/golang/go/issues/11833
	https://github.com/golang/go/issues/19274
This will be removed when go updates the crypto/rand implementation.

Change-Id: Icccaf07bc6011b95cd31a5c268e7486807dcffe2
crypto: insert key into keyring from go 2017-05-02T20:39:18+00:00 Joe Richey joerichey@google.com 2017-03-02T19:47:07+00:00 53d15f466a665e4e564af3afdcbcfe9ff1c91331 This commit adds in the ability to insert Keys into the kernel keyring from go code. This is done via a patched version of x/sys/unix. We also expose the specific requirements for keys that will be placed in the keyring, namely PolicyKeyLen. The legacy services are also exposed. Change-Id: I177928c9aa676cae13b749042b9a3996e7490f68 
This commit adds in the ability to insert Keys into the kernel keyring
from go code. This is done via a patched version of x/sys/unix. We
also expose the specific requirements for keys that will be placed in
the keyring, namely PolicyKeyLen. The legacy services are also exposed.

Change-Id: I177928c9aa676cae13b749042b9a3996e7490f68
crypto: Key struct for secure buffers 2017-05-02T20:39:18+00:00 Joe Richey joerichey@google.com 2017-03-02T19:22:43+00:00 20924ca06efba5a50356bdb5abb1f7b87f34f817 This commit adds in the crypto package, which will hold all of the security primitives for fscrypt. This first component deals with securely handling keys in memory. To do this in a consistent way across fscrypt, we introduce the Key struct. Any sensitive memory (like keys, passwords, or recovery tokens) in fscrypt will be held in a Key. No code outside of the crypto package should access the Key's data directly. Convenience functions and methods are provided to construct keys from io.Readers (either with fixed length or with variable length) and to access information about the Keys. The most important property of Keys is that the data is locked in memory on construction, and the data is unlocked and wiped when Wipe is called. This happens either by something like "defer key.Wipe()" or through the finalizer. Change-Id: Ice76335f3975efb439b3f1ab605ef34cb7fcb4d6 
This commit adds in the crypto package, which will hold all
of the security primitives for fscrypt. This first component deals with
securely handling keys in memory. To do this in a consistent way across
fscrypt, we introduce the Key struct.

Any sensitive memory (like keys, passwords, or recovery tokens) in
fscrypt will be held in a Key. No code outside of the crypto package
should access the Key's data directly. Convenience functions and methods
are provided to construct keys from io.Readers (either with fixed length
or with variable length) and to access information about the Keys.

The most important property of Keys is that the data is locked in memory
on construction, and the data is unlocked and wiped when Wipe is called.
This happens either by something like "defer key.Wipe()" or through the
finalizer.

Change-Id: Ice76335f3975efb439b3f1ab605ef34cb7fcb4d6